Digital certificate breach at Indian authority also targeted Yahoo domains, possibly others

The full scope of the security breach is currently unknown, a Google security engineer said

The scope of a recent security breach at a digital certificate authority (CA) controlled by the Indian government is bigger than initially thought and also targeted domain names owned by Yahoo, in addition to several owned by Google.

Google said Tuesday that a week earlier it detected several certificates for Google domain names that had been issued without authorization by the National Informatics Centre (NIC), a branch of the Indian Ministry of Communications and Information Technology.

Certificate authorities are supposed to only issue digital certificates to the owners of the domain names for which they are requested. That's because in the hands of attackers rogue certificates can be used to impersonate legitimate websites and snoop on the encrypted communications of users who connect to those sites if their connections are intercepted en route.

As a CA, NIC was subordinated to India's Controller of Certifying Authorities (India CCA), a certificate authority included in the Microsoft Root Store and trusted by default by the majority of programs that run on Windows, including Google Chrome and Internet Explorer. Mozilla Firefox wasn't affected by the incident because it maintains its own root store that didn't include India CCA. Web browsers running on Linux, Android or Mac OS X were not affected either.

It wasn't clear initially whether NIC issued the rogue certificates for Google's domain names as a result of human error or a security breach, but an investigation by India CCA pointed to the latter.

India CCA "reported that NIC's issuance process was compromised and that only four certificates were misissued; the first on June 25," Google security engineer Adam Langley said Wednesday in an update to his original blog post about the issue. Of the four certificates wrongly issued by NIC and identified by India CCA, three were for Google domain names and one was for domains belonging to Yahoo, Langley said.

India CCA and NIC did not immediately respond to an inquiry seeking more information about how the breach occurred and its impact.

According to Langley, Google is aware of more rogue certificates issued by NIC aside from the four mentioned by India CCA. As a result the company "can only conclude that the scope of the breach is unknown," he said.

NIC's own CA certificates have been revoked by India CCA following the compromise and the organization has a notice on its website that reads: "Due to security reasons NICCA [NIC Certifying Authority] is not issuing certificates as of now. All operations have been stopped for some time and are not expected to resume soon."

The revocation has affected Indian government websites with SSL certificates issued by NIC, because revoking a CA certificate invalidates all certificates signed by it. For example, attempting to access https://rtionline.gov.in/, an Indian government portal for submitting right to information (RTI) requests, in Google Chrome or Internet Explorer will result in a security error because its certificate was issued by NIC and is no longer trusted.

Despite the security breach happening at NIC, Google holds India CCA responsible as well because NIC's CA operated under its authority.

"A root CA is responsible for all certificates issued under its authority," Langley said. "In light of this, in a future Chrome release, we will limit the India CCA root certificate to the following domains and subdomains thereof in order to protect users: gov.in, nic.in, ac.in, rbi.org.in, bankofindia.co.in, ncode.in, tcs.co.in," he said.

SSL certificates for any other domain names that chain back to India CCA will no longer be accepted in Chrome.

NIC is not the first government-run certificate authority to issue rogue certificates. In September 2013, a CA certificate owned by the Treasury department of the French Ministry of Finance was used to issue rogue certificates for several Google domain names. The incident was the result of human error.

In July 2011, a hacker broke into the infrastructure of DigiNotar, a certificate authority used by the Dutch government, and issued hundreds of rogue certificates for high-profile domains. DigiNotar filed for bankruptcy following the security breach.

Incidents like these have raised questions about the security and trustworthiness of the public key infrastructure (PKI) in which hundreds of certificate authorities operated by private and public organizations have the power to issue certificates for any domain on the Internet that would be trusted by most browsers and operating systems. Several technical solutions have been proposed to limit the possible impact of CAs being compromised, but none of them have been widely adopted so far.

Google Chrome has a feature called public-key pinning that only accepts pre-defined certificates for some high-profile domain names. This feature would have prevented the rogue Google certificates issued by NIC from being used against Chrome users, but the solution only protects a limited number of popular domains.

Join the PC World newsletter!

Error: Please check your email address.

Tags YahoointrusionGoogleonline safetyIndian Ministry of Communications and Information TechnologyNational Informatics CentresecurityMicrosoftpki

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?